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(54) Enterprise network management using directory containing networkaddreasesof users and 
devices providing access lists to routers and servers 



(57) An enterprise network using a wide area net- 
work (WAN), and having routers and senders, uses a 



master directory to detennine access rights, including 
the ability to access the WAN through the routers and 
the ability to access the server over the WAN. 
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Description 

Field of the Invention 

[0001] The present invention relates to computer net- 
works for managing enterprise network access and pro- 
viding enterprise network security. 

Background of the Invention 

[0002] The marketplace for many companies has ex- 
panded from a national to a world marketplace, l^rge 
intemational companies have expanded into global 
companies and smaller companies have become inter- 
national competitors. This market expansion has been 
driven by technology that has made both voice and data 
communication easier. 

[0003] Figure 1 . generally at 50, shows a prior art sys- 
tem that distrtouted or remote users currently rnay use 
to communicate with a central or home networks. The 
remote network 32 has remote users 34 that communi- 
cate through a wide-area network (WAN)58 to a com- 
pany or home network 82. WAN 58 may Include dedi- 
cated or non-dedicated network links. A typical dedicat- 
ed networic would include frame relay network elements 
and a typical non-dedicated networi( would Include a 
TCP/IP network elements in a public network such as 
the intemet. 

[0004] Remote users can communicate with WAN 58 
in a number of different ways. As shown in Figure 1 , us- 
ers 34 are part of a local network 32 that connects to the 
WAN 58 through a server 35 and router 36 and a dedi- 
cated local loop 39. Users 44 are part of a local loop 42 
that connects to WAN 58 through server 45, router 46 
and modem 48 that uses a public switched network 
(PSTN) 49. Lx)cal loop 39 and public switched circuit 49 
connections normally are provided by a local exchange 
canier (LEG) such as Southwestem Bell or Bell Atlantic. 
[0005] Home network 60, shown in FIGURE 1 , has a 
router 61 , firewall 62,destinatlon server 64 and a Local 
Area Network (LAN) 84 with a LAN server 86 and a 
number of workstations 88. There can be many LANs, 
servers, and other resources In the company or home 
network, including fax sen/ers, printers, file servers, and 
database servers. 

[0006] Firewall 62 is either a device or an application 
that controls the access between Intemal trusted LAN 
84 and extemal public non-tmsted networks such as the 
Intemet or a PSTN. Firewall 62 tracks and controls com- 
munication, deciding where to pass, reject, encrypt, or 
log communications, and requires that these communi- 
cations adhere to a defined security policy. Firewall 62 
normally functions In four areas: access control; authen- 
tication; optional encryption/decryption; and routing. 
Firewalls manufactured by Check Point Software Tech- 
nologies Ltd. and Raptor Systems, Inc. each have these 
capabilities. 

[0007] Access control is the firewall mechanism to 



grant access to a class of users or to a class of users 
that use specific protocols, such as HTTP (the Intemet 
access protocol). Access control is established by set- 
ting up user definitions, server and gateway definitions, 

5 and establishing protocols. Access control in a firewall 
Is rule-based In that a security rule defines the relation- 
ship between the definitk)ns. 
[0008] Authentication is a mechanism to verify the au- 
thenticity of both the sender and the message. Broadly, 

10 authentication may encompass three types of technol- 
ogy: (1) password based; (2) token based; and (3) bio- 
metrlc. Authentication grants access privileges to spe- 
cific users to access specific network resources and/or 
specific network applications. 

15 [0009] Encryption/decryption is an optional mecha- 
nism to transfomn a message so that the encrypted mes- 
sage can only be read with the aid of same additional 
infonmation (a key) known to the sender and the Intend- 
ed recipient alone. In secret key encryption, the same 

20 key is used to encrypt a message and then to decrypt 
it. In public key encryption, two mathematically related 
keys are used, one to encrypt the message and the oth- 
er to decrypt the message. 

[0010] Routing Is a firewall mechanism to detemilne 
25 which network resource(s) should receive the message. 
In a typical firewall , a user, or user groups, can be routed 
to one or more destinations on the basis of certain rules. 
Because these rules require set-up and maintenance, 
the routing is typically controlled with broad rules for 
30 large groups of people systems. 

[001 1] Firewalls are Installed to address the threats of 
hostile external network intrusion but have limited abili- 
ties to reduce or eliminate intemal network vulnerabili- 
ties or social engineering attacks as discussed below. 
35 Firewalls are generally rules based products where a 
typical rule may be "Marketing users can get to the In- 
ternet Sewer only with HTTP". 

Network Management 

40 

[0012] An enterprise network is a network for an en- 
terprise, including multiple LANs, routers and sen/ers, 
typically geographically separated. The networks of the 
Enterprise network can be connected together over a 

45 wide area network. Enterprise network management 
that has evolved from the mainframe environment is still 
centered mainly on the operating systems and is mostly 
manual and resource Intensive. 
[001 3] Numerous tools have been developed to aid In 

so network management. Routers ere nonnally configured 
and managed with a Telnet tool. Telnet also is used for 
remote control of firewalls, and servers. Simple Network 
l\^anagement Protocol (SNMP) is used to manage net- 
work nodes and to monitor operation. Senders are gen- 

55 erally manually configured with users manually coded 
into a user control program. Other tools include capacity 
planning, fault management, network monitoring, and 
performance measurement. 
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[0014] A router or routing/switching device is used In 
enterprise networlcs to route user messages and files to 
and from internal LAN 82 and an external WAN 58. The 
routing device can recognize that the user workstation 
88 has issued a destination address not located on LAN s 
82 for a message or for a file transfer and, therefore, 
that the message or file needs to be fonfvarded to exter- 
nal WAN 58. Similarly, the routing device can recognize 
a destination address on WAN 58 for resources on its 
Internal LAN 82, and therefore the device will fonvard 
that WAN 58 message or file to the Internal network 
served by the router 61 . 

[0015] An analogy to this data network routing Is the 
operation of the PSTN (Public Switched Telephone Net- 
work). When a seven-digit number Is dialed, if the first is 
three digits are a valid local exchange, the call will re- 
main In the local exchange. Similarly, when the NetID of 
destination IP address Is the same as the NetID of the 
local network the data packets will remain on the LAN. 
If a ten-digit number Is dialed. If the first three digits are so 
for a valid area code, the call will be routed to the long 
distance network. Similarly, when the NetID of a desti- 
nation IP address is different from the NetID of the local 
network, the data packets will be fonwarded to the WAN. 
[0018] Routing devtees generally use one or more 
methods for obtaining routing Instructions. First, routers 
have static routing Instmctions that are manually coded 
Into the routing Instructions. This manual coding may be 
by user interaction with a router operating system, such 
ais Cisco lOS, or by downloading the coding over the so 
network through Telnet or SNMP. Second, the router 
may learn routing instructions through routing protocols 
such as RIP or IGRR These protocols communteate 
with other routers on the network and share routing in- 
fonnation. 35 
[0017] Computers with network interfaces and special 
multi-user software are used as LAN and WAN servers. 
A LAN server 84 may often be called a file sender. While 
a server may often be considered a physical devtee in 
general, a server is a conr^uter program that provides ^ 
servfces to other computer programs in the same or oth- 
er computers. Examples of network servers are WINS 
(Windows Internet Naming Server), DNS (Domain 
Name Server) and DHCP (Dynamic Host Control Pro- 
tocol) server, Internet Application server, firewall server, ^ 
Internet server and Intranet server. 



programmed to accept 16,384 devices addresses as 
valid, allowing connection to the internal networks 42 
and 52 even though there are only 4 devtees In network 
32 and 5 devices in network 42, This large addressee 
space is programmed because it is difficult and time 
consuming to program the routers to the actual devfces 
in these networks as the number of such devices 
change. So in tenns of security, there is over 3000 times 
(1 6,384 addresses \ 5 actual addresses required) more 
opportunity to illegally penetrate the networks than Is 
necessary. Router address space Is normally contigu- 
ous, again for ease of nehwork management, even 
though users come and go from the networks such that 
IP address actually being used is not contiguous. 
(0020J For senders 35, 46, 62, 64, and 66 In Figure 1 
the user access Is controlled by access control (Ists 
(ACLs). In these servers Individual users are combined 
into groups (for Instance, Bob Rogers could be part of 
the Marketing Group). Bob Rogers could then only ac- 
cess files that the ACL for that file contained "Marketing 
Group.** Because It is difficult and costly to develop ACLs 
in each server, most files have access restricted to 'Eve- 
rybody* or "Guests", so sender access is available to 
everyone. 

[0021] The largest reported losses In network security 
come from internal theft and sabotage. Internal net- 
works are normally open so that many users have root 
level control, which allows operators to do everything on 
senders including copying files, planting viruses, and 
erasing all Infonratlon. Disgruntled employees can take 
advantage of such an open network to perform illegal 
acts. 

[0022] The next largest reported loss Is referred to as 
"social engineering." Social engineering uses social In- 
teraction with Inside employees to obtain networic ac- 
cess Infonnation. Covert social engineering actives are 
typically undertaken when significant theft or espionage 
is planned, so It nomialty results In substantial losses. 
[0023] The other area of reported losses is hostile ex- 
ternal network intrusion, A firewall Is useful forprotecting 
a networic In this area. In general, a firewall Is useful for 
protecting networi<s from people unknown to the com- 
pany but most losses and networic threats come from 
people known to the company 

DIreetDry Services 



Security 

[0018] As enterprise-wide data networks have ex- 
panded, the neetf for network security has increased. 
Firewall and encryption technologies, as described In 
the prior art, have been developed to address some of 
the network security needs. However, the majority of 
network security problems is not being addressed by 
cun-ent technological solutions. 
[0019] For remote networks, shown as networks 32 
and 42 in FIGURE 1 , the routers 36 and 46 are often 



[0024] Directory services products are generally fo- 
cused on either LAN or WAN environments. The largest 

so installed base of directory services is Novell's NDS (Net- 
Ware Directory Services) with over 10 million units In- 
stalled. NDS Is a product focused primarily at the LAN 
level and used to provide computer woricstattons 88 with 
access to shared resources such as files servers or 

ss printers In a LANs 32, 42 and 82. The Novell product 
and other similar directory products are proprietary from 
product manufacturers and are not under the manage- 
ment of any open standards body 
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[0025] One enterprise level directory technobgy (X. 
500) has been used to Integrate phone directory Infor- 
mation» e-maii, and fax addressing across an enterprise. 
A directory Is a open standard database providing dis- 
tributed, scalable, cirent/server-based . repositories of 
data that are read much nnore frequently than modified 
(for example, user definitions, user profiles, and networtc 
resource definitions). Users applications can access 
these directories through directory access protocols 
(DAPs). In network envlronnnents, exemplary DAPs In- 
clude X.500 directory access protocols and Lightweight 
Directory Access Protocol (LDAP). 
[0026] X.500 Is a directory service defined by a set of 
international standards published jointly by the Interna- 
tional Standards organization (ISO) and the Internation- 
al Telecommunications Union (RFC, formerly CCITT) 
standards bodies. Originally developed In 1988 to be a 
general e-mail directory, the standards have developed 
to envision a general global Information service. Direc- 
tory services have been applied, as the name Implies, 
to provide users with a directory of available services. 
[0027] LDAP is short for Lightweight Directory Access 
Protocol, a set of protocols for accessing Information di- 
rectories. LDAP is based on the standards contained 
within the X.500 standard, but Is significantly simpler. 
However, unlike X.500. LDAP supports TCP/IP. which 
is necessary for any type of Internet access. The Inter- 
net Is being defined and specified by the Internet Engi- 
neering Task Force (IETF) with LDAP being defined and 
specified by a series of formal IETF Request for Chang- 
es (RFCs). Like other Internet capabilities LDAP has 
multiple meanings In different contexts. LDAP servers 
are fully functional directories that can be accessed by 
LDAP clients using the protocol defined by LDAP. 

Affchiteetural View of Directories 

[0028] FIGURE 2 Is a prior functional diagram show- 
ing the relationship between the directory services and 
the ISO model networi( layers. The top ISO networi<ing 
layer is an application, such as word processing, fax or 
e-mail. The bottom layer of the ISO model is the physical 
layer, such as a twisted-pair of wire or fiber optic cable. 
Current directory services are an application program 
that worics to manage other application layer programs 
such as e-mail phone directories and faxing. 
[0029] FIGU RE 2 shows the OSi (open system Inter- 
connect) reference model that describes a communica- 
tions In the seven hierarchical layers that are shown. 
Each of these layers provides services to the layer 
above and Invokes services from the layer below. Typi- 
cally, end users of the communications system Intercon- 
nect to thetapplicatton layer, which may be referred to 
as a distributed operating system because It supports 
the Interconnection and communication between end 
users that are distributor. The 081 model allows the hid- 
ing of the difference between locally connected and re- 
motely connected end users, so the applteation layer ap- 



pears as a global operating system. Nomfially, In a dis- 
tributed operating systenn , the global supervisory control 
for all of the layers resides In the application layer. 
[0030] Each of the layers contributes value to the 

5 communications system. The application layer uses the 
presentation layer, and Is concerned with the differenc- 
es that exist in the various processors and operating 
systems In which each of the distributed communica- 
tions systems is implemented. The presentation service 

10 layer uses the session layer, and manages the dialogue 
between two communicating partners. The session lay- 
er assures that the information exchange conforms to 
the rules necessary to satisfy the end user needs. The 
session layer uses the transport layer, and creates a log- 

15 leal pipe between the session layer of its system and 
that of the other system. The transport layer uses the 
networi( layer to create a logical path between two sys- 
tems. The transport layer Is responsible for selecting the 
appropriate lower layer networic to meet the service re- 

20 quirement of the session layer entities. This connection 
is generally though of as a point-to-point connection. 
The network layer uses the data link layer, and estab- 
lishes a connection between the entitles and this Is 
based on a protocol for the connection. The data link 

23 layer uses the physical layer. The data link layer is re- 
sponsible for building a point-to-point connection be- 
tween two system nodes that share a common oomnui* 
nicatlon system. The data link layer is only aware of the 
neighboring nodes on a shared channel. Each newcir- 

^ cult connection requires a new link control. The physical 
layer is responsible for transporting the information 
frame into a form suitable for transmission onto a medi- 
um. 

[0031 ] FIGU RE 3 Is a functional block diagram show- 
35 ing the positioning of directory services and networic de- 
vtoes, such as routers and servers, on the ISO networic 
layers. The protocol originally developed tor the direc- 
tory services application to communicate with other ap- 
plications, like e-mail, was DAP. Recently the LDAP pro- 
40 tocol was defined at the network layer to allow commu- 
nication between servers, routers, firewalls and other 
networic level devices. 

[0032] For an appltoatlon (ISO Layer 7) to have a 
unique operation at the lower layers, such as a device 

45 operating at the Session Layer (ISO Layer 5) level, ap- 
plication programs are required to add the specific funo- 
tionality between these layers. 
[0033] FIGURE 4 is a functional block diagram show- 
ing how a application could access information from di- 

50 rectory services and send that information to a router or 
server operating at Layer 5 using Telnet or FTP as the 
protocol, for example. Simllariy, in FIGURE 4. an appli- 
cation In a router or server could send and retrieve in- 
formation to or from directory services using the LDAP 

55 protocol. 
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Summary of the Invention 



[00341 "Hie present invention extends the concept of 
directory services to the management and control of en- 
terprise networks by Integrating directory technology, s 
router/gateway management, and server management 
to form an enterprise networic management and network 
security solution. By Integrating directory services to 
perform these extended functions, a firewall can be de- 
leted or omitted and a stronger Implementation of fire- 10 
wail functions be Integrated Into other network ele- 
ments, and. can controlled by a master directory. From 
an architectural standpoint, the present invention pro- 
vides supervisory control In the network and data link 
layers, ratherthan in the application layers as such con- is 
trol is traditionally provided. 

[0035] An enterprise directory residing on a directory 
server stores the names, workstations, router/gate- 
ways, servers. IP addresses locations, passwords, and 
encryption keys for Individuals. Periodically, the directo- 20 
ry server downloads to each router/gateway across the 
WAN router/gateway access lists (RALs), thereby con- 
trolling all network access across the WAN. Also peri- 
odically, the directory server downloads user control 
files to senders In the networic, thereby controlling all ^5 
server access across the WAN. This directory-based in- 
vention thus provides enhanced networic control, and 
enhanced networl( security. 



CONCEPT OF THE INVENTION 



30 



[0036] An enterprise directory residing on a directory 
server stores the names, wortcstatlons, router/gate- 
ways, servers, IP addresses, locations, passwords, and 
encryption keys for Individuals. Periodically, the directo- ss 
ry sender downloads to each router/gateway across the 
WAN router/gateway access lists (RAU), thereby con- 
trolling all networic access across the WAN. Also peri- 
odically, the directory server downloads user control 
files (UCFs) to serveiB in the networic, thereby control- 40 
ling all server access across the WAN. This directory- 
based invention thus provides enhanced network con- 
trol, and enhanced network security. 
[0037] The directory uses the concepts of objects and 
object attributes. The users, router/gateways, and serv- 45 
ers are objects. The IP address, password, privileges, 
and location are attributes of each user, server, and rout- 
er/gateway Another attribute of each router/gateway is 
the RAL. The RAL defines the operation of the router/ 
gateway (I.e., defines which IP addressees will be rout- so 
ed to which designation). Because the directory knows 
the location and IP address of each user, and the loca- 
tion and IP address of each router/gateway, a directory 
application can periodically populate the RAL In each 
router/gateway on the networic using LDAP. Entries In ss 
the directory thereby control the entire network and the 
networic router/gateway conflguratfon management is 
automated. 



[0038] Networic servers can be both physical and log- 
ical devices. A physical server located in an accounting 
department may contain a number of logical servers 
such as payroll, accounts receivable, accounts payable, 
etc. Access to these logical servers is controlled by user 
authentteation and user privileges contained In the UCF 
on that sender. The directory contains both the users and 
servers as objects. Directory user attributes Include the 
authentication criteria and privileges for each sender In 
the networic. Directory attributes for each server In- 
cludes the name of the UCF and the UCF contents. A 
directory applteation would periodically populate the 
UCFs In each server with the directory user Information, 
Entries in the directory then control to all servers across 
the enterprise. 

[0039] Because the user and user sender access are 
tightly coupled and easily managed In the directory, the 
company can greatly restrfct root level access, whteh 
typically allows server files to be modified, deleted, or 
copied. Such access Is a major target for disgruntled 
employees. The ability to Instantly change users and us- 
er access control directly affects the greatest source of 
networic loss for many corporations. Passwords are a 
user attribute In the directory. Because the user and user 
passwords ere tightly coupled and easily managed In 
the directory, the company can easily automate a pass- 
word oontroj program. The directory also manages e- 
mail, so the new password can be automatteally distrto- 
uted by secure e-mail. Effective password management 
can aid in reducing the second greatest networic threat 
of security loss, i.e., loss due to social engineering. 
[0O4OJ Hostile external intrusion is the third area of 
networic security. The present Invention can replace the 
user authentication function of the firewall with the dis- 
tributed user authentication directory sen/Ices. Each 
router/gateway In the system will pass infomiation only 
for the designated users. Logteal servers have authen- 
tication sen/tees specific to that server. That Individual 
server authemteatton can be password, token, or bio- 
metric. This distributed authentication provides greatly 
enhanced security over a firewall-protected network. 
[0041] The present invention provides access control 
by directory management of RALs, and also provWes 
user authentlcatfon capabilities that are associated with 
server access lists. The methods and means for authen- 
tication are currently by Microsoft NT servers or Sun IVIi- 
crosystems senders. This server-based authentfcation is 
generally adequate for small networidng environments 
but may not be adequate for large enterprise networks, 
[0042] To define enhanced security greater that the 
cun-ent server-based security, this invention uses certif- 
icates defined with the public key structure of X-509. X- 
609 Is a subset of X-500 so that the X-609 public key 
stmcture Is an integral part of the X-600 and LDAP di- 
rectories. 

[0043] Certificates are a strong user authentication 
concept, exceeding firewall authentication, and can be 
Integrated Into directory sen^lces. Certifteates represent 
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flexible enabling technology, which allows clients and 
servers to authenticate themselves to each other, and 
set up an encrypted channel for the duration of a com- 
munication session. Certificates can be used to secure 
the communication link, the user identity, the integrity of 
data and confidentiality of the Information. A corporation 
can Issue certificates to its employees, contractors, cus- 
tomers, suppliers, and other business partners. These 
certificates can then be used to grant/deny access to 
sensitive networic resources on the WAN. 
[0044] A certification authority (CA) is a third-party au- 
thority responsible for issuing certificates to Identify a 
community of individuals, systems or other entities that 
mal<e use of acomputer network. By digitally signing the 
certificates it issues, the CA vouches for the identity and 
trustworthiness of certificate owners. Network users 
possess the CA's own, self-signed public key certificate 
(often referred to as the "root key"), and use it to verify 
other users' certificates, in doing so, they have assur- 
ance that others are who they say they are, and know 
that the CA (whom they recognize and trust) vouches 
for them. 

[0045] The Invention integrates the directory at- 
tributes of public/private keys associates the keys with 
employees, vendor, and customer directory objects to 
provide a level of security and protection unavailable In 
prior art. By providing such general and generic control 
of enterprise security, the present Invention allows the 
directory to define security policy on a userbasls, wheth- 
er this user is intemal or extemal to the networic, and 
provides as many options as there are users times the 
number of networic controllable elements. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0046] FIGURE 1 illustrates a prior art networic. 
[0047] FIGURE 2 illustrates a prior art architectural 
block diagram. 

[0048] FIGURE 3 illustrates a prior art architectural 
protocol block diagram. 

[0049] FIGURE 4 is an architectural block diagram 
[functional block] Illustrating exemplary architecture em- 
bodying the directory management of an embodiment 
of the present Invention. 

[0050] FIGURE 5 Is a functional block illustrating de- 
tailed operation of the network ACL management of the 
present invention. 

DETAILED DESCRIPTION 

[0051] The present Invention is a management sys- 
tem and method for an enterprise network. The Inven- 
tion can provide security by integrating directory tech- 
nology with router/gateway management and server 
management. 

[0052] FIGURE 5 is a functional block diagram Illus- 
trating an exemplary architecture and topology of an en- 
terprise network 90 according to the present invention. 



A master directory, preferably implemented with LDAP 
or other standards. Is located on a server92 at a central 
location on an enterprise network on a LAN 82. Distrib- 
uted directories may be located, on remote servers 32 

5 and 42 in the enterprise network. Master directory 92 
and distributed directories contain objects and object at- 
tributes. The distributed directories may be synchro- 
nous with the master directory. 
[0053] In the embodiment of the present Invention, the 

10 objects may be Individual's names, woricstatlons, serv- 
ers, and networic routers/gateways. The individual's 
names may be the names of employees, vendors, or 
customers. The user attributes are preferably the IP ad- 
dress, location, password, and encryption keys. The us- 

IS er IP address contains the user location; the NetIO field 
of the IP address identifies the LAN on which the user 
is located and therefore the location. The router/gate- 
way attributes preferably are IP address, location, and 
router access list (RAL). The server attributes preferably 

20 are IP address, location, and the name of the user con- 
trol file (UCF). 

[0054] Relying on the user location designated by the 
address of the LAN to whk;h the user Is resident, the 
directory services will download the RALs to the router/ 

25 gateway to allow or deny access for each user to the 
WAN 58, depending upon the access privileges of that 
user contained in the directory. For example, master di- 
rectory 92 may contain the users of LAN 32, and the 
NetlD of the users' TCP/IP addresses will designate that 

30 they are associated with router/gateway 36. The RAL 
for router/gateway 36 resides In master directory 92 and 
Is downloaded through router/gateway 61 and WAN 58 
Into router/gateway 38. After this download, only the us- 
ers of LAN 32 that have privileges to use WAN 58 as set 

35 In master directory 92 will be able to be forwarded by 
router/gateway 36 to WAN 58. Complete contnDl of WAN 
58 access is thereby controlled by directory entries. 
[00551 To downtoad the R/VL to each router/gateway, 
a directory support application program (RAL-AP) is en- 

40 abled. FIGURE 6 Is aflowchart illustrating an exemplary 
method to detemiine the RAL for each router/gateway 
by a I^L-AP. The RAL-AP scans the master directory 
for router/gateway objects at 400. RAL-AP then deter- 
mines then detennines the IP subnet address from the 

45 router/gateways IP address at 401 . At 402 the RAL-AP 
scans the directory and detennines the router/gateway 
association of each user that is located In each subnet 
identified In 401 . R/U.-AP then generates the RALs for 
each router/gateway In the networic at 403. In the em- 

50 bodiment of Figure 5. the RAL-AP would be an applica- 
tion associated with directory 92. The RAL-AP first 
pushes the RAL for router/gateway 61 by locating the 
IP address of the router/gateway 61 In the directory and 
pushes the data with the Telnet or LDAP protocol as 11- 

55 lustrated in Rgure 6 at 404. Using WAN 58. the RAL- 
AP pushes the RAL using the Telnet protocol to each 
respective router/gateway found in the directory. In the 
embodiment of Rgure 5, router/gateways 46 and 36 
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would be similarly configured. 
[0056] Similarty, user control files (UCFs) are at- 
tributes of servers in the directory. User privileges, set 
in the directoiy, define which servers each user can ac- 
cess. These UCFs are downloaded to each sen/er in the 
directory structure. For example, server 45, resident on 
IAN 42. may contain the payroll records files, accounts 
receivable records files, and accounts payable records 
files ail individually organized as logical servers inside 
physical server 45. Each of these logical servers will 
have a UCF associated with that server. The name of 
each logical server control file and the contents of that 
UCF are resident in master directory 92. Periodically, 
master directory 92 will reconstruct the individual serv- 
er's UCF based on the latest user privileges defined in 
the master directory 92 and download that UCF to the 
appropriate server. Complete server access control is 
thereby controlled by directory entries. 
[0057] To download the user control file to each serv- 
er, a directory support application program (UCF-AP) Is 
enabled. UCF-AP scans the directory, detennines the 
server association of each user In the directory and gen- 
erates the UCFs for each server In the network. In Figure 
5, UCF-AP is an application In server 64. USF-AP first 
pushes the UCF for server 86 by locating the IP address 
of server 86 In the directory and pushes the data with 
the NetBIOS protocol. UCF-AP then pushes the UCF for 
firewall 62 using the FTP protocol. Using the WAN 58 
the program pushes the UCF to each server In the di- 
rectory. 

[0058] Having, described preferred embodiments, It 
should be apparent that modifications can be made 
without departing from the scope of the present Inven* 
tion. 

[0059] It should be noted that the objects and advan- 
tages of the invention may be attained by means of any 
compatfblecombinatlon(s) particularly pointed out in the 
Items of the following summary of the invention and the 
appended claims. 

Summary of the Invention 

[0060] 



1 . A master directory service for a wide area net- 
work (WAN), comprising: 

a wide area networic; 

a plurality of local area networks (LAN) con- 
nected to the WAN through router/gateways; 
a directory connected to one or more LAN; 
a master directory having a directory of objects, 
including servers and router/gateways, the ob- 
jects having attributes for indicating access 
right, connected to one of said plurality of 
I^NS, said master directory distributing infor- 
mation to the directory of each LAN, said infor- 
mation indicating which of the users of each of 
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the plurality of l-ANs connected to the WAN, al- 
lowed to have access to the WAN rasouroes 
such as router/gateways, servers and worksta- 
tions. 

2. The WAN wherein the WAN is a data grade net- 
work, 

3. The WAN wherein the WAN is an Intemet that 
uses TCP/IP. 

4. The WAN wherein the master directory periodi- 
cally updates the attribute information of each di- 
rectory of each LAN. 

5. The WAN wherein the master directory updates 
the attribute information daily 

6. The WAN wherein the attribute Information to 
each sender includes a table associating names and 
source addresses, the server determining the name 
from the source address and detemnining whether 
access Is to be allowed from the name associated 
with the source address. 

7. The WAN wherein one or more LAN router/gate- 
way(s) serves as a certification gateway for securi- 
ty. 

8. The WAN wherein the certlftoation conforms to 
X.509 standards. 

9. The WAN wherein each directory and the master 
directory confonns to at least one of X.S00 and 
LDAP standards. 

1 0. The networic wh ere master directory Inf omnation 
Is requested by an applteatlon program running in 
the router/gateway. 

11. The networi< wherein the each router/gateway 
serves as a certification security, certification con- 
fomns to X.509 standards, and each directory con- 
forms to at least one of X.500 and LDAP standards. 

12. The network wherein the master directory is a 
single master directory. 

13. The networic wherein the master directory is a 
distributed directory, distributed among tocal area 
networics. 

14. A method for managing access in an enterprise 
networic interconnected over a wide area networic 
(WAN), the method comprising: 

maintaining a master directory with objects in- 
dteating servers and router/gateways, the ob- 
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jects having attributes Indicating access rights 
to and/or from the object; 
providing to a router/gateway, which Is In data 
communication with the WAN, Infomnation from 
the master directory indicating which clients on 
the enterprise networlc are allowed to access 
information over the WAN; and 
providing to a server, which is in data commu- 
nication with the WAN, Information from the 
master directory indicating which clients of the 
enterprise networ1( are allowed to retrieve, 
store/ update Infomiation to/from the server. 

15. The method wherein the providing steps are 
each performed periodically. 

16. The method wherein the infomnation from the 
master directory is provided to each router/gateway 
and server over the WAN. 

1 7. The method wherein the enterprise network has 
a plurality of router/gateways and a plurality of serv* 
ers in data communication with the WAN. the meth- 
od Including providing access infomiation to each 
of the router/gateways and to each of the servers. 

18. The method wherein the maintaining Is per- 
formed in accordance with at least one of X.500 and 
LDAP standards. 

19. A network comprising: 

a master directory having objects and at- 
tributes, the objects including router/gateways 
and the attributes for the router/gateways In- 
cluding a router/gateway access list (RAL); and 
a router/gateway connected to a group of users 
for providing access for the users to a wide area 
network (WAN), the router/gateway for recehr- 
Ing its respective RAL from the master directory 
and for using Information in the RAL to deter- 
mine whether one of the group of users will be 
allowed access to the WAN . 

20. A network comprising: 

a master directory having objects and at- 
tributes, the objects including servers and the 
attributes for the servers including a user con- 
trol file (UCF); and 

a number of servers connected to and acces- 
sible over a wide area networi< (WAN) for pro- 
viding information to users overthe WAN, each 
server receiving its respective UCF from the 
master directory and for using the UCF to de- 
tennine whether a user will be allowed access 
to WAN resources, Including router/gateways, 
servers and workstations. 



Claims 

1 . A master directory service for a wide area network 
(WAN), comprising: 

5 

a wide area network; 

a plurality of local area networks (LAN) con- 
nected to the WAN through router/gateways; 
a directory connected to one or more LAN; 
10 a master directory having a directory of objects, 

Including servers and router/gateways, the ob- 
jects having attributes for indicating access 
right, connected to one of said plurality of 
I-ANS, said nnaster directory distributing Infor- 
ms mation to the directory of each l-AN, said infor- 
mation Indicating which of the users of each of 
the plurality of LANs connected to the WAN, al- 
lowed to have access to the WAN resources 
such a&router/pateways, servers and woricsta- 
20 tions. 

2. The WAN according to Claim 1 . wherein the WAN 
is a data grade networic. 

^ 3. The WAN according to Claim 1. wherein the WAN 
is an Intemet that uses TCP/IP. 



The WAN according to Claim 1 , wherein the master 
directory periodically updates the attribute Informa- 
tion of each directory of each l^N. 
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The WAN according to Claim 4, wherein the master 
directory updates the attribute information daily. 

The WAN according to Claim 1, wherein the at- 
tribute Infonmation to each server includes a table 
associating names and source addresses, the serv- 
er determining the name from the source address 
and detemilning whether access Is to be allowed 
from the name associated with the source address, 

and/or wherein preferably one or more LAN 
router/gateway(s) serves as a certification 
gateway for security, 

and/or wherein preferably the certification con- 
forms to X.509 standards, 

and/or wherein preferably each directoiy and 
the master directory confomr\s to at least one of 
X.500 and LDAP standards, 

and/or wherein preferably master directory In- 
formation is requested by an application pro- 
gram running In the router/gateway, 

and/or wherein preferably the each router/gate- 
way serves as a certification security, oertif ica- 
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tion conforms to X,509 standards, and each di- 
rectory confoHDS to at (east one of X.500 and 
LDAP standards, 

and/or wherein preferably the master directory 5 
Is a single master directory, 

and/or wherein preferably the master directory 
is a distributed directory, distributed among lo- 
cal area networks. w 

A method for managing access In an enterprise net- 
work interconnected over a wide area network 
(WAN), the method comprising: 



maintaining a master directory with objects In- 
dicating servers and router/gateways, the ob- 
jects having attributes indicating access rights 
to and/or from the object; 
providing to a router/gateway, which is in data 
communication with the WAN, Inf onnatlon from 
the master directory Indicating which clients on 
the enterprise network are allowed to access 
Information over the WAN; and 
providing to a server, whteh Is in data commu- 
nication with the WAN, Information from the 
master directory Indicating which clients of the 
enterprise networic are allowed to retrieve, 
store/ update Infonnation to/from the server 

The method of claim 7, wherein the providing steps 
are each performed periodically, 

and/or wherein preferably the Infonnation from 
the master directory Is provided to each router/ 
gateway and server over the WAN. 



15 



20 



25 



30 



35 



and for using Infonnation In the RAL to deter- 
mine whether one of the group of users will be 
allowed aocess to the WAN. 

10. A networtc comprising: 

a master directory having objects and at- 
tributes, the objects Including servers and the 
attributes for the servers including a user con- 
trol file (UCF); and 

a number of servers connected to and acces- 
sible over a wide area networi( (WAN) for pro- 
viding infonmatlon to users over the WAN, each 
server receiving its respective UCF from the 
master directory and for using the UCF to de- 
termine whether a user will be allowed access 
to WAN resources, Including router/gateways, 
servers and woricstatlons. 



and/or wherein preferably the enterprise net- 
woric has a plurality of router/gateways and a 
plurality of servere in data communication with 40 
the WAN, the method Including providing ac- 
cess Infonmatlon to each of the router/gateways 
and to each of the servere. 



and/or wherein preferably the maintaining is 45 
performed in accordance with at least one of X. 
500 and LDAP standards. 

9, A network comprising: 

50 

a master directory having objects and at- 
tributes, the objects Including router/gateways 
and the attributes for the router/gateways In- 
cluding a router/gateway access list (RAL); and 
a router/gateway connected to a group of usere 55 
for providing access for the users to a wide area 
networic (WAN), the router/gateway for receiv- 
ing Its respective RAL from the master directory 
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